Bug 1185713 - (CVE-2021-32052) VUL-0: CVE-2021-32052: python-Django,python-Django1: header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+
(CVE-2021-32052)
VUL-0: CVE-2021-32052: python-Django,python-Django1: header injection possibi...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/283561/
CVSSv3.1:SUSE:CVE-2021-32052:5.4:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-06 11:23 UTC by Gianluca Gabrielli
Modified: 2021-05-07 08:17 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-06 11:23:02 UTC
CVE-2021-32052

A flaw was found in Django. On Python 3.9.5+, ``URLValidator`` didn't prohibited newlines and tabs. If you used values with newlines in HTTP response, you could suffer from header injection attacks. Django itself wasn't vulnerable because ``HttpResponse`` prohibit newlines in HTTP headers.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1957455
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32052
http://seclists.org/oss-sec/2021/q2/104
Comment 1 Gianluca Gabrielli 2021-05-06 11:27:19 UTC
Affected packages:

 - SUSE:SLE-12-SP2:Update:Products:Cloud7:Update/python-Django   1.8.19
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Django   1.11.29
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Django1  1.11.29
 - openSUSE:Factory/python-Django                                3.2

Upstream patches:

 - master [0]
 - 3.2 [1]
 - 3.1 [2]
 - 2.2 [3]

Additional information [4].


[0] https://github.com/django/django/commit/e1e81aa1c4427411e3c68facdd761229ffea6f6f
[1] https://github.com/django/django/commit/2d2c1d0c97832860fbd6597977e2aae17dd7e5b2
[2] https://github.com/django/django/commit/afb23f5929944a407e4990edef1c7806a94c9879
[3] https://github.com/django/django/commit/d9594c4ea57b6309d93879805302cec9ae9f23ff
[4] https://www.djangoproject.com/weblog/2021/may/06/security-releases/
Comment 2 Johannes Grassler 2021-05-06 15:49:07 UTC
We use Python 2 on all versions of SUSE OpenStack Cloud so this does not appear to  affect us.
Comment 3 Gianluca Gabrielli 2021-05-07 08:07:59 UTC
Hi Johannes, thanks to have pointed this out.

@Alberto, could you please fix this in Factory by bumping the package to version 3.2.2?
Comment 4 Alberto Planas Dominguez 2021-05-07 08:16:59 UTC
(In reply to Gianluca Gabrielli from comment #3)
> Hi Johannes, thanks to have pointed this out.
> 
> @Alberto, could you please fix this in Factory by bumping the package to
> version 3.2.2?

https://build.opensuse.org/request/show/891227

There are some missing deps versions, as asgiref.